Thursday, March 27, 2008

Identity theft: Income tax returns and stolen identities

The University of California's Irvine campus recently made the following announcement:

UC Irvine has received more than 50 reports that Social Security numbers have been stolen and used to file fraudulent tax returns to gain refunds. Victims are identified as current and former UCI graduate students and medical students. In most cases, the students have discovered the issue when they electronically submit their federal income tax returns and the IRS informs them that someone has already filed using their name and Social Security number.
This should be particularly disturbing to people, as it isn't simple credit card fraud - actual tax returns were filed using these Social Security numbers. Not only could this cause real hassles in dealing with the IRS if it becomes a widespread issue, but it means that attackers have discovered how little validation there is in the IRS tax return system and exploited it to their advantage.

This is the first time I've seen a report of relatively large scale tax return fraud with the intent to make money from returns on more than an individual basis, but, if it is successful and doesn't result in a successful investigation, it likely won't be the last.

It will be interesting to see if similar issues occur as other campuses dealing with SSN exposures. The IRS is handling it reasonably well - they're allowing second, valid returns to be filed, and are asking the affected individuals to file police reports. It is worth noting that they are requesting a paper tax return be sent to a specific office: online tax return submission may make this exploit much easier.

UCI now gets to try to find out if they were the source of a data leak - from the FAQ on their announcement page:
Q. Does this appear to be an isolated case?
There are more than 50 cases at UCI, but this currently appears to be focused on graduate and medical students.
With that sort of pattern, we may well see a breach announcement in the near future as required by the California Breach Disclosure Act - UCI notes that they are currently investigating.

Flickr Creative Common licensed image credit to Matt Honan.

No comments: